When we provide services for the general public, we use certificates
signed by a “trusted” third-party. People who don’t know us (we don’t know them
either) can rely on the signature of the public CA (which we both know), to
initiate a secure and “trusted” communication-channel.

This assures them, that they indeed talk with our server and that nobody can
listen to or read along of any communication.

The information and services we provide on this servers are still open to the
general public and not secret at all.

The situation changes completely when private services are provided, which are
not for the general public.

As soon as we deal with a closed user group public CAs are out of the question.
Simply because they are public. Public CAs will issue a certificates for
anybody, while our private service must insure only a select group of people (or
devices) have access.

Therefore access to our private services need to be secured with certificates
issued by our own private Certificate Authority.

As mentioned, the CAs private key needs a high level of security. More security
usually means less comfort. The private key must be stored in a secure place,
but is used to sign certificates on the other hand.

To make things safer and easier, the private key, which must be highly
protected, is never used directly to sign the certificates of end-users and
servers.

Instead an intermediate CA is created, one level below of the root CA. The root
CAs private key is only used once to sign the intermediate CAs certificate and
then stored away in its safe place.

After that, certificates for persons and devices can be signed by the
intermediate CA with its own private key.

In case the intermediates private key gets stolen or lost or otherwise
compromised, you can just discard it and create a new intermediate CA, without
loosing everything, as it would be the case if this happened with the root CA
key.

Its still advisable to protect the intermediates private key with a password and
not leave it on a unprotected server all the time.

The private key of the certificate authority root certificate must be protected
and stored safely. Save it on a encrypted USB Storage key or Smartcard and store
that USB key in a safe location. Depending on your safety requirements, a bank-
safe or other trusted third-party is recommended. In the best of all cases, you
won’t need to access the root key again for the next five years. Access to this
key is only needed if you loose control over the intermediate signing key or if
you need to make substantial changes to your Certificate Authority.

The private key of the intermediate signing authority should also be stored on a
encrypted storage device or Smartcard, but might remain easy accessible for
everyday use. In case this key is stolen or lost, it can be revoked using the
root signing key.